Payment Services Directive 2 – better known as PSD2 – has been a hot topic since it came into effect in
January 2018, with the EU and many banks vigorously pursuing its development. Businesses have until
September 2019 to ensure they are compliant. To that end, it’s time that we take a deep dive into PSD2. What is it, what has changed, and where are the opportunities?
To set some context, the Payments Service Directive (PSD) is a European Union (EU) directive aimed at regulating payment services and payment service providers (PSPs) throughout the EU and European Economic Area (EEA).
The first iteration of the PSD was published in 2007 and implemented in the UK in 2009.
With rapidly changing markets, international expansion, and the ever-increasing number of new players and challenger financial institutions, a review of the PSD was conducted in 2012. The outcome was a revision of the legislation. Enter PSD2.
The new rules in PSD2 will have far-reaching impacts on banks, various payment service providers, and online merchants, particularly in relation to new requirements around customer authentication and the introduction of open banking.
Key objectives of PDS2:
- To contribute to a more integrated and efficient European payments market
- To increase competition
- To make payments safer and more secure
- To increase the protection of consumers
- To encourage lower fees for payment services
The UK market is seeing a significant increase in real-time payments transactions, with an
estimated 2.3 billion digital payments transactions in 2026. In what has been described as a move towards a digital single market, PSD2 aims to protect consumers against fraud and other abuses.
At its heart, PSD2 aims to increase competition, innovation, and transparency across the European payments market, whilst increasing the security of digital payments and transactions for consumers.
PSD2’s Changes to Consumer Protection and Security
From a fraud prevention and dispute resolution perspective, the most impactful aspects of PSD2 are in its intended effect on consumer protection and security.
The directive aims to increase consumer protection in a number of ways:
- Payments sent or received where one of the PSPs is located outside the EEA will be covered, as will all non-EEA currencies
- The amount the payer could be obliged to pay (or, in practice, which they would not be able to recover from their bank or other payment service provider) in the event of an unauthorised payment scenario has reduced from €150 to €50 – except in cases of
fraud or gross negligence by the payer
- A legislative basis to the unconditional refund right
- With pre-authorisation of card payments, when the final amount is unknown in advance, the payee will only be able to ‘ring-fence,’ or set aside, funds on the payer’s account when the cardholder has approved the exact amount to be blocked
- PSPs must introduce dispute resolution procedures and will be required to respond to payment complaints within 15 business days of receipt
- Member States are required to designate competent authorities to ensure and monitor compliance within PSD2 – this is the FCA in the UK
In relation to security, one of the major implications of PSD2 is the inclusion of a specific mandate that focuses on Strong Customer Authentication (SCA) as a way to improve security for consumers. Under PSD2, payment service providers are required to
implement SCA on certain transactions. One type of SCA is two-factor authentication. For this, the consumer is required to enter a piece of information from two or more of the following:
Knowledge: This is something only the customer knows, such as a password or PIN. Note that card data (e.g., card number, CVV, or expiry date) are not considered to be a knowledge factor.
Possession: This is something the customer has – for example, a smartphone or hardware token.
Inherence: This is something the customer “is,” e.g., a biometric factor such as fingerprint or facial recognition. Behavioural biometrics are also recognised as valid for submission.
The challenge with SCA two-factor authentication is that it gets in the way of frictionless, quick-and-easy payment methods. As consumers have to jump through more hoops, they are more likely to abandon purchases.
As a result, the PSD2 regulation has included some exemptions to allow merchants to provide frictionless payments for certain transactions. The following applies to card payments:
- Transactions up to €30 – frictionless flow is allowed for all transactions. This exemption is capped at every 5 transactions or transactions totalling €100 since last SCA. This is based on the transactions on the card itself, not on transactions coming
from a certain acquirer or merchant. Once this cap is reached, SCA is required and the counter is then reset to zero. The issuer is responsible for this as only the issuer has this information. Neither the acquirer nor merchant are able to detect if a card
has reached its limit.
- For transactions up to €100 – frictionless flow is allowed if the acquirer’s fraud rate is less than 0.13%
- For transactions up to €250 – frictionless flow is allowed if the acquirer’s fraud rate is less than 0.06%
- For transactions up to €500 – frictionless flow is allowed if the acquirer’s fraud rate is less than 0.01%
- Customers can “whitelist” businesses as trusted beneficiaries, so that SCA is not required for transactions. SCA will be required for the customer’s first transaction with the business but not for subsequent transactions.
- Although whitelisting has the potential to make repeat purchases more convenient for consumers, there is a lack of consensus on the mechanism to use to “add” merchants to this list. In addition, as many companies have various subsidiaries and affiliates,
questions arise as what company should be added to a whitelist. It remains to be seen how the industry will overcome this challenge.
Subscriptions or Recurring Transactions
- A series of recurring payments to the same businesses for the same amount will not require SCA. The initial setup of the recurring payment will still require SCA, but all following payments will be exempt.
Secured Corporate Payments
- SCA is not required for corporate payments using dedicated payment processes or protocols, in the cases where it can be established that those processes achieve high levels of security of payment.
What Are the Consumer Implications?
PSD2 will bring about major changes in relation to the accessibility of account data to authorised third parties, providing a customer has given explicit consent to its bank to allow the third-party access. For example, payment initiation services. These
service providers have brought innovation and competition, providing alternatives for internet payments – but previously have been unregulated. Bringing them under PSD2 helps to boost transparency and security within the single market. It also helps future-proof
consumer security as more and more frictionless payment options are being created.
The PSD2 deadline is coming, and understanding what it means to your business and how you can implement it should be front of mind. It also presents an opportunity, as it forces business and banks to update their systems, increase collaboration efforts,
and improve fraud prevention and security platforms.